Using a break glass account for emergency admin access

Isolated Cloud restricts authentication to SSO through your identity provider (IdP). You can create a break glass account for emergency access to the Isolated Cloud admin interface if either of the following occur:

• Your IdP becomes unavailable, is misconfigured, or is compromised

• You otherwise lock yourself out of org-level administration

A break glass account is a dedicated administrator account that bypasses SSO and is governed by an immutable authentication policy. It lets you regain access to your organization's admin interface so you can restore IdP or SSO settings, without:

• re-enabling broad password logins

• allowing full product access (Jira, Confluence, etc.) on this account

• relaxing auditability or security controls

How break glass access works

Break glass accounts are created during Isolated Cloud provisioning and are governed by a read-only authentication policy that cannot be modified by org admins. The policy enforces the following controls:

When to use a break glass account

Use break glass access only when you cannot sign in to your organization's admin interface through your normal SSO flow. Common scenarios include:

• Your IdP is experiencing an outage or has become unreachable.

• SSO settings have been misconfigured and are preventing admin logins.

• Your IdP has been compromised, and you need to reconfigure or rotate SSO settings.

• You have otherwise locked yourself out of org-level administration.

How to request a password reset

Break glass password reset is a high-touch, support-mediated process. You cannot reset the password yourself.

1. Submit a support request. An authorized org admin submits a request to Atlassian Support, identifying the specific break glass account that needs a password reset.

2. Atlassian verifies the requester. Atlassian Support validates that the requester is an authorized org admin using standard customer verification procedures.

3. Atlassian issues a reset link. Support sends a one-time, short-lived password reset link (valid for 1 hour) directly to the break glass account email address.

4. Set your password and register MFA. Use the reset link to set a strong password and register (or re-register) your FIDO2 hardware MFA key.

5. Sign in to the admin interface. Navigate to your Isolated Cloud admin URL (for example, admin.<your-org>.atlassian-isolated.net) and sign in using your new password and hardware MFA key from an allowlisted IP address.

6. Perform recovery actions. Restore or reconfigure your IdP and SSO settings as needed.

After using break glass access

After each use of a break glass account:

1. Rotate credentials. Request a password reset through Atlassian Support and update your secure vault records.

2. Re-confirm MFA key custody. Verify that hardware MFA keys are securely held by authorized personnel.

3. Review audit logs. Check the Audit Log for all events associated with the break glass session and correlate them with the support ticket.

4. Close the incident record. Document the recovery actions taken and attach supporting evidence.

Managing break glass accounts

All changes to break glass accounts require a support request to Atlassian. You cannot self-serve any of the following actions:

• Provisioning a new break glass account

• De-provisioning an existing break glass account

• Updating the authentication policy (for example, changing allowlisted IP ranges)

• Modifying the IdP/SSO domain allowlist

• Initiating a password reset on an existing break glass account